Stripe Decline Code · Glossary
not_permitted fires when the issuing bank or card network has determined that the cardholder is specifically not authorized to perform this type of transaction — a permission-level block targeting the cardholder's relationship with the card, not the card's general functionality or available funds.
What It Means
What It Means
not_permitted fires when the issuing bank or card network has determined that the cardholder is specifically not authorized to perform this type of transaction — a permission-level block targeting the cardholder's relationship with the card, not the card's general functionality or available funds. It sits one layer more specific than transaction_not_allowed: where transaction_not_allowed blocks a transaction feature, not_permitted blocks this specific cardholder from performing that specific transaction class — making it a targeted, identity-adjacent decline rather than a blanket card restriction.
Not sure if this code is recoverable for your specific situation? Use the Stripe Failure Lookup →
Why It Happens
Why It Happens
What NOT to Do
What NOT to Do
✕ Don't retry without a bank contact step
not_permitted requires cardholder-specific action at the bank level — the permission restriction is tied to the account, not the timing or funds. Retrying the same charge against the same card without the customer first resolving the permission issue with their bank produces identical failures every time and risks escalating the block severity.
✕ Don't treat it identically to transaction_not_allowed
The distinction matters operationally: transaction_not_allowed can sometimes be resolved by changing how you initiate the transaction (3DS, CIT vs. MIT). not_permitted cannot — it requires the cardholder to contact their bank and resolve a permission issue at the account level before any transaction type will succeed. Applying a 3DS re-auth flow to a not_permitted failure wastes engineering effort and customer goodwill.
✕ Don't send an alarming email — keep framing neutral and actionable
not_permitted on the customer side often feels confusing and arbitrary — they may not know their account has a restriction. Framing your email as "your bank has restricted this card" without a clear action path creates anxiety without resolution. Your copy must lead directly to the solution: call your bank, or use an alternate payment method — one clear CTA per email, not both simultaneously.
Retry Timing
Retry Timing
not_permitted is a bank-contact-required code before any retry — similar in structure to do_not_honor and security_violation but with a more specific resolution path focused on account-level permission restoration.
Recovery Benchmark
Recovery Benchmark
| Metric | Result |
|---|---|
| Overall recovery rate | 15–30% |
| Recovery when customer contacts bank | 40–55% of those who take action |
| Recovery via alternate payment method | +12–18% additional lift |
| Recovery with blind retries | ~3–7% |
| Customer action rate on bank-contact email | ~25–35% |
| Recovery within 7 days | ~18–25% |
A 25–30% recovery rate on not_permitted is the realistic ceiling — and the dominant lever is email specificity. Telling the customer exactly what to say to their bank ("Please activate online and recurring payments on my account") significantly outperforms vague "contact your bank" instructions. Pairing this with an immediate alternate payment method offer as a parallel track captures the segment that won't or can't resolve the bank restriction.
At Scale
At Scale
Automated
Manual Escalation
FAQs
FAQs
What does the Stripe not_permitted decline code mean?
not_permitted means the issuing bank has determined that this specific cardholder is not authorized to perform this type of transaction — a permission-level block at the account level, not a card product restriction or funds issue. The card may be active and funded, but the bank has restricted this cardholder from initiating subscription, online, or cross-border transactions specifically.
What are the most common causes of a not_permitted error in Stripe?
Common causes include a bank-imposed cardholder-level permission restriction on online or recurring payments, an account under compliance or identity review, a card that hasn't been activated for card-not-present or digital transactions, a bank blocking this specific cardholder from certain merchant categories, or an authorized user on a joint account with restricted transaction permissions.
What should my customer do when Stripe returns not_permitted?
Ask them to contact their bank and say: 'I need to activate online and subscription payments on my card and remove any transaction restrictions on my account.' Providing this exact script in your email significantly increases the rate at which customers take action. If the bank restriction cannot be resolved, direct them to an alternate payment method such as PayPal, bank transfer, or a different card.
Should I retry a payment after a Stripe not_permitted decline?
Only after the customer confirms their bank has cleared the restriction. Gate all retries behind a customer confirmation step — a one-click confirmation link in your email that triggers an immediate retry when clicked. Limit total retries to 2 attempts. Blind retries without bank contact produce only 3–7% recovery and risk escalating the account-level restriction.
What is the recovery rate for Stripe not_permitted failures?
Overall recovery rates are 15–30%. Among customers who contact their bank and resolve the permission restriction, 40–55% recover successfully. Adding an alternate payment method offer from Day 3 alongside the bank-contact sequence adds 12–18% additional recovery lift. Blind retries without customer bank action recover only 3–7%.
What to do next
You are here
not_permitted
Decline code reference
Check recoverability
Stripe Failure Lookup
See what's recoverable — and what isn't →
Then
Sign up for Recurflux
Automate recovery for every decline code →
Before you retry
Before you retry
Most not_permitted failures are retried on the wrong schedule — which recovers the payment about 30% of the time. The other 70% leaves permanently. See what this code is actually costing at your MRR before deciding how to handle it.
Stop leaving revenue on the table
Recurflux handles code-specific retry scheduling, adaptive dunning, and dispute intelligence across all 30 Stripe decline codes. Connect in under 5 minutes.